Fear, Uncertainty and Doubt have flooded into our lives with global terrorism, the credit crunch and knife crime being classic culprits. But, as
Davey Winder explains, when the IT Security FUD hits the fan, things start to get really messy…
Fear, uncertainty and doubt… They’re an enemy of the public sector IT manager. FUD can best be summed up by the idea of a fire alarm salesman shouting ‘Fire! Fire!’ through the letterbox of an old lady’s house in order to scare her into buying the product.
Translated into IT security terms, and thrown into the public sector environment, FUD becomes a true thorn in the side of the IT Manager. While you might think that, being a big boy or girl now, you are immune to wagging fingers and loud voices, the truth is that as an IT Professional you find yourself faced with vague assertions of insecurity all the time. These assertions need to be either proven or debunked.
Carefully constructed half-truths are far, far worse than being faced with an obvious mistruth; they take up far more of your time to resolve.
Nobody was hurt while spreading this rumour
Top ^
Forget the myth that spreading FUD leaves no body count, this is not a victimless crime. Think about it: as a busy professional, your time is best spent protecting the network, securing data and doing your job properly. Wasting time implementing solutions for problems that don’t exist, or eventually reaching the conclusion that a solution isn’t needed, could mean that a real threat is overlooked. After all, your time and that of your department is not infinite.
Do you think I’m guilty of spreading a little FUD myself here? Think again, as this chain of events from the middle of 2008 demonstrates. A press release from an IT security company pointed towards a security vendor’s blog, which reported that a large number of government websites had fallen victim to a malware infection being distributed via the Asprox attack toolkit.
The vulnerability itself was an ancient SQL issue, and nothing new - as the vendor blog explained. However, the press release itself made the mistake of saying that public sector websites had fallen victim to an Asprox mass attack.
One broadsheet newspaper then claimed an eastern European hacker had put the Asprox virus onto over 1000 websites, despite there being no such thing as an Asprox virus. Not that it mattered: the FUD had spread and now time was being wasted by IT departments checking that they were protected against a largely non-existent threat. What they needed to do was ensure the network was safe from SQL injection vulnerability, but FUD clouded that issue.
Theatre of security
The trouble with FUD is that it comes as part of what you might call the ‘theatre of security’ performance. This is where policies have been put together to give the perception of securing systems and data, without actually doing anything of the sort. All too often, unfortunately, security vendors are guilty of taking the leading role in these productions (which the media helps to direct) by providing advice and products which do the same thing.
The IT Manager has got to adopt the correct balance between not falling for all the FUD that is thrown in his or her direction, while at the same time not ignoring the underlying security truths either. There is rarely smoke without fire. At the end of the day getting the right balance comes down to one thing: truly understanding the security requirements, implications and applications of the job. Hey, nobody said that being an IT security admin was easy…
FUD Best Practise
So how do you find that correct balance? Here is my FUD Factor Best Practice Guide:
- Remember that warnings of Internet-related doom and gloom of an apocalyptic nature are never actually followed by the same thing in reality.
- Don’t react with a knee-jerk at every new exploit warning.
- Research the likelihood of that exploit a) ever reaching the ‘wild’ b) ever reaching your network and c) ever having actually existed in the first place.
- Don’t worry too much about constantly changing your risk assessment levels or constantly looking to deploy new measures to mitigate that adjusted potential risk.
- Instead, ensure that you have the correct policies and technologies in place to protect data and couple these with an experienced and above all else calm approach to FUD management.